CRS328 VLAN - Management Port

danmiles86 · Sat Jul 11, 2020 4:36 am

Hi all.

I'm really struggling with the 'new' VLAN implementation on my CRS328's. My devices are RB4011<-->CRS328<-->CRS328. I have them joined using 10gbe DAC's.

I have DHCP server setup on on the RB on VLAN200. I've then added the correct 10gbe ports to the bridge, added port 200 to the VLAN table. I've then configured ether1 on each CRS by adding the port to the bridges and adding it as untagged on VLAN200. If I then connect a machine to ether 1 on either switch I get an IP and can ping the RB. All great so far!

Where it all goes wrong is with the management port.

I've trying following https://wiki.mikrotik.com/wiki/Manual:Bridge_VLAN_Table and it has this simple example for adding management to VLAN 99.

/interface vlan
add interface=bridge1 name=VLAN99 vlan-id=99
/ip address
add address=192.168.99.2/24 interface=VLAN99

However when I do this I can never get to this IP. I've tried putting a DHCP client on this interface and it doesnt work either. However if I put a DHCP client on the SFP port it does. However this is only accessible from that 'side' of the bridge so I can't use it for management.

Any ideas what I'm doing wrong? Looked at it so long I'm obviously missing something obvious but can't see the wood for the trees.

Thank you.

'Middle' CRS config - 10.200.0.10 not reachable from other devices

/interface bridge
add name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] name=sfp-sfpplus1-mainrouter
set [ find default-name=sfp-sfpplus2 ] name=sfp-sfpplus2-garageswitch
/interface vlan
add interface=bridge1 name=vlan200-bridge vlan-id=200
add interface=sfp-sfpplus2-garageswitch name=vlan200-garageswitch vlan-id=200
add interface=sfp-sfpplus1-mainrouter name=vlan200-mainrouter vlan-id=200
/interface bridge port
add bridge=bridge1 interface=sfp-sfpplus1-mainrouter
add bridge=bridge1 interface=ether1 pvid=200
add bridge=bridge1 interface=sfp-sfpplus2-garageswitch
/interface bridge vlan
add bridge=bridge1 tagged=sfp-sfpplus1-mainrouter,sfp-sfpplus2-garageswitch \
    untagged=ether1 vlan-ids=200
/ip address
add address=10.200.0.10/24 interface=vlan200-bridge network=10.200.0.0
/ip dhcp-client
add interface=sfp-sfpplus1-mainrouter
add disabled=no interface=vlan200-mainrouter
add disabled=no interface=bridge1
add interface=vlan200-bridge
add interface=vlan200-garageswitch

danmiles86 · Sat Jul 11, 2020 4:13 pm

Can anyone even give me a vote of confidence that my config looks roughly correct? Bit of a noob with Mikrotik so could be an obvious problem on my part.

I'm starting to think its a software bug not passing the VLAN's to the CPU. I've disabled HW offloading and still get the same issue.

mkx · Sat Jul 11, 2020 11:06 pm

Can anyone even give me a vote of confidence that my config looks roughly correct?

No, it does not look entirely correct.

When configuring bridge with vlan-filtering=yes physical interfaces should be (tagged or untagged) members of said bridge ... VLAN interfaces should then be anchored to bridge interface, not to bridge ports. In your case you should remove definition of vlan200-garageswitch and vlan200-mainrouter vlan interfaces. Remove excess DHCP clients as well.

Just to mention: it seems that sometimes after numerous reconfigurations some config gets mangled and device doesn't perform according to visible configuration. The cure is to reset device to default config and re-apply custom setup (exporting config before reset helps the process).

danmiles86 · Sat Jul 11, 2020 11:24 pm

Thanks Metod.

I have done many many many resets! But a good reminder regardless.

I had tried with and without the VLAN interfaces on the bridge ports but still no luck. I guess I just had them there at this point for easy troubleshooting. What is odd is that when there is no bridge these port interfaces work as I expect, which at least helps me confirm the config on my router linking in to this switch is correct. However when I enable the VLAN interfaces on the bridge they do nothing. Wont work for DHCP client and can't ping out if IP manually assigned either.

At present I have gone with the work around of setting the PVID on the bridge and applying the IP address directly to the bridge. This works fine but limits me to only having an IP on one VLAN.

Can you confirm this would be correct;

/interface vlan
add interface=bridge1 name=vlan200-bridge vlan-id=200

/ip address
add address=10.200.0.10/24 interface=vlan200-bridge network=10.200.0.0

I should then be able to ping to/from this interface over the trunk port?

PS the trunk ports work fine. They will correctly bridge traffic between the trunk ports and will also remove the vlan tags on access ports as expected. I just can't get a management interface.

danmiles86 · Sun Jul 12, 2020 12:18 am

OK done another complete reset and start again, this time trunking port 10.

This time 3 configs;
No1. VLAN10 Interface on the port , no bridge. IP address applied to VLAN interface. - This works as expected. Can ping the router.
No2. VLAN10 Interface on the bridge instead of the port. IP address still applied to the VLAN interface - This DOES NOT work as expected. Cannot ping the router.
No3. No VLAN 10 Interface. PVID changed to 10 on the bridge. IP address applied to the bridge. - This also works as expected. Can ping the router.

I'm starting to get more confident this is a software issue but being a noob will still like some other options on this. Tried software from all 4 release channels today with essentially the same behaviour on each. I also swapped the CRS328's around and tried a second brand new one. Still the same behavior.

For the sake of my sanity some one please confirm if I have this correct? Thank you.

Config 1 - Working

/interface ethernet
set [ find default-name=sfp-sfpplus1 ] name=sfp-sfpplus1-mainrouter
set [ find default-name=sfp-sfpplus2 ] name=sfp-sfpplus2-garageswitch
/interface vlan
add interface=sfp-sfpplus1-mainrouter name=vlan10-port-interface vlan-id=10
/ip address
add address=10.10.10.5/24 interface=vlan10-port-interface network=10.10.10.0

Config 2 - Not Working

/interface bridge
add name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] name=sfp-sfpplus1-mainrouter
set [ find default-name=sfp-sfpplus2 ] name=sfp-sfpplus2-garageswitch
/interface vlan
add interface=bridge1 name=vlan10-bridge vlan-id=10
/interface bridge port
add bridge=bridge1 interface=sfp-sfpplus1-mainrouter
add bridge=bridge1 interface=sfp-sfpplus2-garageswitch
/interface bridge vlan
add bridge=bridge1 tagged=sfp-sfpplus1-mainrouter,sfp-sfpplus2-garageswitch \
    vlan-ids=10
/ip address
add address=10.10.10.5/24 interface=vlan10-bridge network=10.10.10.0

Config 3 - Working

/interface bridge
add name=bridge1 pvid=10 vlan-filtering=yes
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] name=sfp-sfpplus1-mainrouter
set [ find default-name=sfp-sfpplus2 ] name=sfp-sfpplus2-garageswitch
/interface bridge port
add bridge=bridge1 interface=sfp-sfpplus1-mainrouter
add bridge=bridge1 interface=sfp-sfpplus2-garageswitch
/interface bridge vlan
add bridge=bridge1 tagged=sfp-sfpplus1-mainrouter,sfp-sfpplus2-garageswitch \
    vlan-ids=10
/ip address
add address=10.10.10.5/24 interface=bridge1 network=10.10.10.0

mkx · Sun Jul 12, 2020 12:32 am

What you're missing in all setups is to add bridge1 interface as either tagged or untagged member of corresponding VLAN (just the way its done with physical interfaces).

It works when bridge1 interface is untagged member of a vlan (i.e. when it has pvid set) because untagged ports are added to the list of member ports implicitly... but you have to add tagged ports explicitly.

danmiles86 · Sun Jul 12, 2020 12:52 am

Thanks Metod but I'm not sure I understand.

So on my example 2 which is not working, what config would I need to add? Do you mean this?

/interface bridge vlan
add bridge=bridge1 tagged=\
    sfp-sfpplus1-mainrouter,sfp-sfpplus2-garageswitch,bridge1 vlan-ids=10

Can't get my head around why you add the bridge to itself?

mkx · Sun Jul 12, 2020 12:34 pm

Exactly.

In MT world, bridge (as software entity) has two personalities:

switch-like personality
This is personality one probably has in mind when creating bridge. It, very much like a switch, spans member ports. Setting vlan-filtering to yes makes bridge VLAN-aware.
interface
This personality gets created automatically, so it's not obvious. It is there for ROS, run by main CPU, to interact with bridge-connected networks ... kind of CPU gateway to networks, connected to bridge (switch-like personality)
It's this personality in the play whenever bridge is used where a physical (or virtual) interface would be used (e.g. it has address set, it's used as anchor for vlan interfaces, a DHCP server is bound, etc)

In the example setup you posted it's personality #1 referred in bridge=bridge1 part and personality #2 is refered in the list of (tagged) interfaces members of VLAN with specified VID.

If bridge passes multiple VLANs between member ports (e.g. it's used as an ethernet switch) and device only has to interact with a few (e.g. management VLAN of a switch or it needs to perform routing for that VLAN), bridge interface needs to be member of only those select VLANs. Which makes device more secure.

danmiles86 · Sun Jul 12, 2020 1:51 pm

Thank you Metod, a useful explanation that I'm sure will help others too. I wish this was included in the wiki.

The learning curve with Mikrotik really is steep. Some good hardware at a great price but losing time on challenges like this make it a tough entry point.

CRS328 VLAN - Management Port [SOLVED]

CRS328 VLAN - Management Port

Re: CRS328 VLAN - Management Port

Re: CRS328 VLAN - Management Port

Re: CRS328 VLAN - Management Port

Re: CRS328 VLAN - Management Port

Re: CRS328 VLAN - Management Port [SOLVED]

Re: CRS328 VLAN - Management Port

Re: CRS328 VLAN - Management Port

Re: CRS328 VLAN - Management Port